Pkcs11 soft ocsp tests by krishnavema · Pull Request #8557 · SSSD/sssd

krishnavema · 2026-03-27T16:09:36Z

Add optional label parameter for pkcs11 support

gemini-code-assist

Code Review

This pull request addresses RHEL-5043 by improving OCSP timeout handling in p11_child. It introduces a default timeout for soft_ocsp requests to prevent indefinite blocking and adjusts the OCSP deadline calculation to use half of the total allocated timeout, providing a buffer for result processing. Additionally, a new suite of system tests has been added to verify smart card authentication behavior under various OCSP responder availability scenarios. I have no feedback to provide.

alexey-tikhonov · 2026-04-09T13:19:18Z

@krishnavema, @spoore1, what branches does this target?

thalman

The tests and change looks good, but the requirements should not point to private fork

thalman · 2026-04-09T15:28:54Z

 git+https://github.com/next-actions/pytest-tier
 git+https://github.com/next-actions/pytest-output
-git+https://github.com/SSSD/sssd-test-framework
+#git+https://github.com/SSSD/sssd-test-framework


This must be reverted before merging

spoore1

Main thing I think is to move the tests into the existing test_smartcard.py file and use it's helper functions. Besides that, mostly questions for clarification.

spoore1 · 2026-04-16T19:15:57Z

+    time.sleep(VIRT_CACARD_SETTLE_SECONDS)
+
+
+def _assert_smartcard_auth_success(client: Client, username: str) -> None:


Didn't you write an authentication util for su for this in another PR? I think that should be used here.

I guess there is no existing util , do you mean somewhere in specific ?

I was talking about what you did in this other PR here:
https://github.com/SSSD/sssd-test-framework/pull/239/changes#diff-3399c4ca6a52ee78cd188bf544a4db3318c8e89d60f0476f0566097b58145b08

I think that should be used for this test too if it can be. Maybe we need to review that PR along with this one too?

thalman

Scott's questions made me go through the code once more and I think that this is bad approach. See my comment.

spoore1 · 2026-04-21T18:10:30Z

Testing on Fedora 42 with a downgraded version of sssd does reproduce the issue but, I'm unable to reproduce it anywhere else at this time.

[root@client ~]# rpm -q sssd
sssd-2.10.2-3.fc42.x86_64

[root@client ~]# su - smartcarduser1 -c 'su - smartcarduser1 -c whoami'
su: warning: cannot change directory to /home/smartcarduser1: No such file or directory
Password:

When I upgrade to the latest available in Fedora 42, I see it work:

[root@client ~]# rpm -q sssd
sssd-2.11.1-2.fc42.x86_64

[root@client ~]# su - smartcarduser1 -c 'su - smartcarduser1 -c whoami'
su: warning: cannot change directory to /home/smartcarduser1: No such file or directory
PIN for smartcarduser1: 
su: warning: cannot change directory to /home/smartcarduser1: No such file or directory
smartcarduser1

Testing with the version built from this PR is not working for me however:

[root@client ~]# rpm -q sssd
sssd-2.13.0-99.20260417165143281553.pr8557.161.g0b090a236.fc42.x86_64

[root@client ~]# su - smartcarduser1 -c 'su - smartcarduser1 -c whoami'
su: warning: cannot change directory to /home/smartcarduser1: No such file or directory
Password:

FYI, to test with the version built here, I used:

dnf copr enable packit/SSSD-sssd-8557 fedora-42-x86_64

Also, I tested with the master branch from sssd-ci-containers to run the Fedora 42 containers.

spoore1 · 2026-05-13T21:24:44Z

I'm seeing the tests pass in Fedora 42 now for this version of sssd from this PR:

sssd-2.14.0-99.20260512082613085134.pr8557.194.g273d94b8f.fc42.x86_64

Test results:

tests/test_smartcard.py::test_smartcard__soft_ocsp_with_unreachable_responder (ipa) PASSED
tests/test_smartcard.py::test_smartcard__soft_ocsp_with_reachable_responder (ipa) PASSED
tests/test_smartcard.py::test_smartcard__soft_ocsp_with_connection_refused (ipa) PASSED

spoore1

I have a few questions about some of the sssd.conf settings but, the biggest thing is that I think you can now move from using some of the helper functions to some of the other methods you created in other PRs. Let me know if you have a specific reason for keeping the helpers I point out.

spoore1 · 2026-05-13T22:09:30Z

+    if certificate_verification is not None:
+        client.sssd.sssd["certificate_verification"] = certificate_verification
+
+    client.sssd.domain["local_auth_policy"] = "enable:smartcard"


Is this option really needed? It's usually only necessary for LDAP/local user authentication where Kerberos isn't used. It can allow authentication in IPA/AD configurations when Kerberos isn't working or the domain controller seems to be offline. I believe this can mask some issues if something is wrong in test environments like IPA.

FYI, I tested with this option commented and the tests pass "most of the time". During one failure, I manually checked and smart card authentication was working so I believe it may have been a timing issue in my env.

…mart card authentication (resolves: RHEL-5043)

gemini-code-assist Bot reviewed Mar 27, 2026

View reviewed changes

krishnavema mentioned this pull request Mar 27, 2026

Add optional label parameter for pkcs11 support SSSD/sssd-test-framework#241

Merged

krishnavema requested review from spoore1 and thalman March 27, 2026 16:12

thalman self-assigned this Mar 31, 2026

krishnavema assigned spoore1 Apr 1, 2026

krishnavema marked this pull request as ready for review April 1, 2026 03:55

thalman requested changes Apr 9, 2026

View reviewed changes

alexey-tikhonov added the Tests label Apr 14, 2026

spoore1 requested changes Apr 16, 2026

View reviewed changes

thalman requested changes Apr 17, 2026

View reviewed changes

Comment thread src/p11_child/p11_child_openssl.c Outdated

krishnavema force-pushed the pkcs11-soft-ocsp-tests branch from 8845bce to 49f5b90 Compare April 17, 2026 16:50

krishnavema requested review from spoore1 and thalman April 17, 2026 16:59

thalman added the Changes requested label Apr 28, 2026

krishnavema force-pushed the pkcs11-soft-ocsp-tests branch 3 times, most recently from e0a9baf to 99eb23b Compare May 12, 2026 08:24

spoore1 requested changes May 13, 2026

View reviewed changes

krishnavema force-pushed the pkcs11-soft-ocsp-tests branch from 99eb23b to eb0edc3 Compare May 15, 2026 09:46

Add default timeout handling for soft_ocsp and regression tests for s…

79906a2

…mart card authentication (resolves: RHEL-5043)

krishnavema force-pushed the pkcs11-soft-ocsp-tests branch from eb0edc3 to 79906a2 Compare May 15, 2026 09:47

		time.sleep(VIRT_CACARD_SETTLE_SECONDS)


		def _assert_smartcard_auth_success(client: Client, username: str) -> None:

Conversation

krishnavema commented Mar 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

Code Review

Uh oh!

alexey-tikhonov commented Apr 9, 2026

Uh oh!

thalman left a comment

Choose a reason for hiding this comment

Uh oh!

thalman Apr 9, 2026

Choose a reason for hiding this comment

Uh oh!

spoore1 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

spoore1 Apr 16, 2026

Choose a reason for hiding this comment

Uh oh!

krishnavema Apr 17, 2026

Choose a reason for hiding this comment

Uh oh!

spoore1 Apr 21, 2026

Choose a reason for hiding this comment

Uh oh!

thalman left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

spoore1 commented Apr 21, 2026

Uh oh!

spoore1 commented May 13, 2026

Uh oh!

spoore1 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

spoore1 May 13, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

krishnavema commented Mar 27, 2026 •

edited

Loading

thalman left a comment •

edited

Loading